Hi HN, we’re the co-founders of Infisical (
https://infisical.com), an open-source platform to sync application secrets and configs across your engineering team and infrastructure. We enable teams to store their secrets in a centralized location and distribute them anywhere from local development processes to staging/production environments.
Our Github is at https://github.com/infisical/infisical.
We previously worked at AWS, Figma, and another startup, where we frequently ran into problems dealing with secret management. For example, many companies used .env files to maintain their development secrets and struggled to keep secrets in sync amongst their teams (this routinely posed security and efficiency issues — secrets can get leaked or go missing). Some companies (especially bigger ones) used solutions like Vault which can be difficult to set up, maintain, and afford.
While secret managers exist, they’re imperfect for many reasons: open-source solutions are either too complicated, not comprehensive, not user-friendly, or a mix of all three; there are nicer closed-source solutions but with no self-hosted options available. The gap we see is to make something that’s simple, open-source, and powerful.
On the open-source front, our goal is to provide full transparency of our codebase and enable anyone in the community to build anything they want in an optimal secret management solution. If you need any feature or integration that we don’t yet support, you can post an issue about it or directly send in a PR to be reviewed immediately.
You can inject the right set of secrets for any environment into your application by using the Infisical CLI together with your application start command (e.g. infisical run -- npm run dev). This removes the need to use a .env file. Everything stays encrypted with encryption/decryption operations occurring on the client-side — under the hood, secrets are encrypted by vault keys for which there are multiple copies of vault keys encrypted under the public key of each member of a vault (ensuring only members of vaults can decrypt secrets pertaining to that vault locally). An alternative way is to use our Open API - though it’s a little complicated, and we’re working on adding SDKs to abstract away the cryptography.
Infisical integrates with staging and production cloud services like AWS, Vercel, GitHub Actions, and Circle CI. We also added support for integrations with Docker, Kubernetes, and Terraform. Infisical is now a central source of truth for secrets across the entire development cycle from development to production with new integration releases every week.
One interesting thing is that, by default, our platform is end-to-end encrypted but users can opt out of that if they need to integrate with cloud platforms that require secrets to be sent in decrypted format (e.g. GitHub Actions, Vercel, Render). We’re the only solution that we know of that offers this E2EE-with opt-out ability.
Since our last Show HN (https://news.ycombinator.com/item?id=34510516), we’ve layered authentication with 2FA (more MFA options coming soon) and upgraded all private key encryption/decryption steps to involve a 256-bit protected key decrypted by another key generated via Argon2id KDF from the user’s password. We are starting the process of obtaining SOC2 and other security and compliance certifications. You can read more about our security here: https://infisical.com/docs/security/overview
Beyond this, we’ve added integrations with PM2, AWS Secrets Manager, AWS Parameter Store, Circle CI, Travis CI, GitLab CI/CD, Terraform and more. We’ve also redesigned the main dashboard and added more advanced organizational structure for secrets. Lastly, we have added role-based access control, and improved our Kubernetes operator: your clusters are now auto-redeployed when secrets in Infisical change. In the coming weeks and months, we plan to add features like secret rotation, improved audit logs, SDKs and alerts; as well as increase the range of our integrations; and continue fortifying platform security and stability.
We’ve launched this repo under the MIT license so any developer can use the platform. We don’t charge individual developers or small teams—all the integrations are fully available to everyone. We make money by charging a license fee for enterprise features as well as providing a hosted version and support.
If you found it interesting, you can see a demo video here: https://www.loom.com/share/9a8904c6ecc84d0899d53ee1f7a36385
We’d love for you to give Infisical a try (https://infisical.com) and provide any feedback. If you're interested, our code is available here: https://github.com/infisical/infisical. If we don’t have something, let us know and we’d be happy to build it for you. We look forward to your comments!